#
# This file is handled using salt. Any manual change will be removed !
#

TLSCACertificateFile	(REDACTED)
TLSCertificateFile      (REDACTED)
TLSCertificateKeyFile   (REDACTED)

include /etc/ldap/schema/core.schema
include /etc/ldap/schema/cosine.schema
include /etc/ldap/schema/nis.schema
include /etc/ldap/schema/inetorgperson.schema
include /etc/ldap/schema/dnszone.schema
include /etc/ldap/schema/mmc.schema
include /etc/ldap/schema/mail.schema
include /etc/ldap/schema/openssh-lpk_openldap.schema
include /etc/ldap/schema/ppolicy.schema

pidfile /var/run/slapd/slapd.pid
argsfile /var/run/slapd/slapd.args

loglevel none stats

modulepath /usr/lib/ldap
moduleload back_mdb
moduleload back_ldap
moduleload back_monitor

moduleload ppolicy
moduleload memberof
moduleload pw-sha2

# Default password hashing algorithm
password-hash {SSHA512}

overlay                    chain
chain-uri                  "ldaps://(REDACTED)/"

chain-idassert-bind        bindmethod="simple"
                           binddn="(REDACTED)"
                           credentials="(REDACTED)"
                           mode="self"
chain-return-error         TRUE

backend mdb
database mdb

# 4 threads per core http://www.openldap.org/doc/admin24/tuning.html
threads 4
# end tuning

# 1GB maximum LMDB size
maxsize 1073741824

suffix "(REDACTED)"

rootdn "(REDACTED)"
rootpw (REDACTED)

directory "/var/lib/ldap"

index objectClass eq
# also index mail and uid
index entryCSN,entryUUID eq
index mail,mailalias,uid eq

# ACL definitions
#
# Note: the rootdn is always granted full r/w access to
# the database and bypasses any ACLs.
#

(REDACTED)

# ACL definitions end

# Password policy overlay configuration
overlay ppolicy

ppolicy_default "(REDACTED)"
ppolicy_use_lockout
ppolicy_hash_cleartext
ppolicy_forward_updates

# MemberOf overlay configuration
overlay memberof

# Syncrepl configuration
syncrepl rid=123
        provider=ldap://(REDACTED)/
        starttls=yes
        tls_cacert=/etc/ssl/certs/ca-certificates.crt
        type=refreshAndPersist
        retry="10 +"
        searchbase="(REDACTED)"
        schemachecking=on
        bindmethod=simple
        binddn="(REDACTED)"
        credentials=(REDACTED)

updateref ldaps://(REDACTED)/

# Monitoring (cn=Monitor)
database monitor

# ACL definitions
#
# Admins have full access, monitoring dn read only access,
# other people are rejected.
#
(REDACTED)